Responsible Disclosure Policy

How to report security vulnerabilities to Yomly responsibly.

Our Commitment

If you discover a security vulnerability in any Yomly system or service and report it to us in good faith, in accordance with this policy, we commit to:

• Acknowledging receipt of your report within 10 business days.
• Providing an initial assessment of the report and its severity within 20 business days.
• Keeping you informed of our progress at reasonable intervals as we investigate and remediate the issue.
• Not pursuing legal action against researchers who act in good faith and comply with this policy.
• Treating your report confidentially and not sharing your personal details without your consent.
  
  

In Scope

The following Yomly-owned assets are in scope for responsible disclosure:

• The Yomly HR and payroll platform.
• The Yomly public website..
• Yomly-published APIs used by clients for integration.
  
  

Out of scope

The following are explicitly out of scope and should not be tested:

• Systems or services belonging to Yomly clients, partners, or third-party suppliers.
• Physical security of Yomly offices or data centres.
• Social engineering attacks targeting Yomly employees or clients.
• Denial of service (DoS or DDoS) attacks of any kind.
• Automated scanning of production systems without prior approval.
• Vulnerabilities in third-party software or infrastructure not under Yomly’s direct control.
  
  

Reporting a Vulnerability

To report a vulnerability, email disclosure@yomly[.]com with the subject line: ‘Vulnerability Disclosure’.

Please include in your report:

• A clear description of the vulnerability and its potential impact.
• The specific system, URL, or component affected.
• Step-by-step instructions to reproduce the issue.
• Any proof-of-concept code, screenshots, or supporting evidence (without compromising client data).
• Your contact details so we can respond.
  
  

Safe Harbour

Yomly will not take legal action against individuals who discover and report vulnerabilities in good faith, provided they:

• Comply with this policy and do not act in ways intended to harm Yomly, its clients, or their data.
• Do not access, modify, delete, or exfiltrate data beyond what is strictly necessary to demonstrate the vulnerability.
• Do not disclose the vulnerability publicly before Yomly has had a reasonable opportunity to investigate and remediate it.
• Do not engage in any activities that would violate applicable local or international law.

This safe harbour applies to the individual who originally discovered and reported the vulnerability. It does not extend to third parties or to disclosures made outside the terms of this policy.

Responsible Research Guidelines

When conducting security research on Yomly systems, you must:

• Only test against systems you are authorised to test, or against systems explicitly listed as in scope in this policy.
• Not access, store, or use any client or employee data encountered during testing.
• Not perform testing that disrupts, degrades, or affects Yomly’s services or other users.
• Not exploit any vulnerability beyond the minimum necessary to confirm its existence.
• Report findings to Yomly before disclosing to any third party.
  
  

Coordinated Disclosure

Yomly follows a coordinated disclosure model. We request that researchers allow us a reasonable period, typically 90 days, to investigate and remediate a reported vulnerability before any public disclosure. If we are unable to resolve the issue within this period, we will discuss an appropriate timeline with you.

We may credit researchers who report valid vulnerabilities in accordance with this policy, subject to the researcher’s consent. We do not currently operate a paid bug bounty programme.

Vulnerability Notification to Clients

Where a vulnerability has the potential to affect client data or platform availability, we will notify affected clients in accordance with our incident response process and applicable regulatory notification obligations. The timeline and scope of client notification will be determined on a case-by-case basis based on the nature and severity of the issue.